You are on page 1of 34

Conversations in Cyberspace

Conversations in Cyberspace
Giulio D’Agostino
Conversations in Cyberspace

Copyright © Business Expert Press, LLC, 2019.

All rights reserved. No part of this publication may be reproduced,

stored in a retrieval system, or transmitted in any form or by any
means—electronic, mechanical, photocopy, recording, or any other
except for brief quotations, not to exceed 400 words, without the prior
permission of the publisher.

As part of the Business Law Collection, this book discusses general

­principles of law for the benefit of the public through education only.
This book does not undertake to give individual legal advice. ­Nothing
in this book should be interpreted as creating an attorney-client
­relationship with the author(s). The discussions of legal frameworks and
legal issues is not intended to persuade readers to adopt general solutions
to general problems, but rather simply to inform readers about the issues.
Readers should not rely on the contents herein as a substitute for legal
counsel. For specific advice about legal issues facing you, consult with
a licensed attorney.

First published in 2019 by

Business Expert Press, LLC
222 East 46th Street, New York, NY 10017

ISBN-13: 978-1-94897-670-1 (paperback)

ISBN-13: 978-1-94897-671-8 (e-book)

Business Expert Press Business Law and Corporate Risk Management


Collection ISSN: 2333-6722 (print)

Collection ISSN: 2333-6730 (electronic)

Cover and interior design by Exeter Premedia Services Private Ltd.,

Chennai, India

First edition: 2019

10 9 8 7 6 5 4 3 2 1

Printed in the United States of America.

Conversations in Cyberspace is a collection of insights on the current state
of security and privacy in the Internet world, a brief introduction to some
of the most used OSINT (open-source intelligence) tools and a selection
of interviews with some of the key figures in ICS (industrial control sys-
tems), APT (advanced persistent threat) and online/deep web members
organizations. This book aims to be an introduction to the relationships
between security, OSINT and the vast and complex world hiding in the
deep web for both the security professional and the system administrator
interested in exploring the today’s concerns in database design, privacy
and security-by-design, and deep web members organizations including
Cicada 3301, the Unknowns, Anonymous, and more.

Deepweb; Dark Web; Hacker; Hacktivist; Cybersecurity; Cicada 3301;
The Unknowns; Anonymous; Atlayo; Grams; Torch; Hidden Wiki; Tor;
Podesta emails; Greg Walton; Cyberspace; Security; Privacy; Cryptogra-
phy; GCHQ; GDPR; Debian; Linux; Maltego; AI
Chapter 1 Introduction���������������������������������������������������������������������1
Chapter 2 Conversations in Cyberspace������������������������������������������19

About the Author��������������������������������������������������������������������������������157


Conversations in Cyberspace is a collection of insights and online conver-
sations (both on IRC chats and encrypted e-mails) on the current state of
security and privacy in the online world with a focus on the Deep Web.
I have also included a brief introduction to some of the most used open-
source intelligence (OSINT) tools and a selection of interviews with some
of the key figures in industrial control systems (ICS), advanced persistent
threat (APT) and hackers/hacktivists groups.
During the making of this short book, I have quickly realized I had to
include interviews and insights from both people involved in the defense
side of security and hackers/“crackers” who enjoy the intellectual chal-
lenge of creatively overcoming limitations and restrictions of software
systems to achieve novel and unexpected outcomes.
The picture that comes out is a fascinating scenario where the cyber-
space is becoming remarkably similar to the “physical space”; an increas-
ing amount of people, groups and organizations are getting concerned
about privacy, trust and information shared and promote both in the
“clearnet” and the so-called “deep web.”
This book aims to be an introduction to the relationships between
security, open source intelligence and the vast and complex world hiding
in the deep web for both the security professional and the system admin-
istrator interested in exploring the today’s concerns in database design,
privacy and security-by-design.
Offensive security, the team that developed the Kali Linux OPS, one
of the most popular pen testing operation systems, cleverly summarizes
the hacking spirit with the quote “the quieter you become, the more you
can hear” borrowed from the 13th-century Persian poet, Jalāl ad-Dīn
Muhammad Rumi.
October 31, 2018, Europe
2 Conversations in Cyberspace

Search Engines
Finding information on the Dark Web is not difficult. There are lists
of Dark Web sites, and you will find Dark Internet search engines. The
Onion sites provided in search results present challenges not found in a
Bing or Google search results list.
The websites may be temporarily offline, a frequent problem with
Dark Web Onion websites. Latency can make entering a query, obtaining
results, and visiting the site in a results list time-consuming. Google-like
response time is the exception.
The rule is to allocate sufficient time for Tor sluggishness. Addition-
ally, the sites in the results list may be operated by law enforcement or an
intelligence entity.
If a Dark Website looks too good to be true, approach with caution,
registering or downloading content can allow malware in your computer.
We reiterate these warnings because most Bing and Google users are
conditioned to enter a question, scan results list, and see websites confi-
dent that problematic destinations are filtered out.
Searching the Dark Web requires a more careful mindset. Keep
in mind that you can use your sandboxed computing device to access
­Surface Web and Dark Internet websites.

Hidden Wiki

Among those easy-to-find “navigator” services for the Dark Web is the
Hidden Wiki. With Tor up and running, enter the URL http://thehid- and click on a link. The selected Dark Web site will appear
in the Tor browser.
If you are using the Tor software package, you can click on a link.
The site will display if it is online. Delays for a few Tor functions
maybe 50 seconds or more.
The Hidden Wiki provides Onion links to chosen Dark Web sites in
various categories.
The Hidden Wiki is another starting point for Dark Internet surfing.
If a website does not resolve, you will have to try again later. You may
Introduction 3

also use the Paste-bin lookup methods described in the previous chapter
to find out if a new Onion speech was posted. If the Hidden Wiki does
not respond, an alternate supply of directory list is TorLinks in https://
This website features similar categories and a similar number of list-
ings. If your curiosity is participating in Dark Web forums, you may
use the list of discussion groups to learn more about the conventions of
Dark Internet services. The study team discovered that one has to build
a relationship with the community of every forum. Some forums have a
crowd-sourced score, like the consumer ratings on eBay or Amazon. The
methods vary by Dark Web forum.


The Ahmia search system can be queried without the Tor software
installed; however, to access a site, you will need to use your Tor-equipped
computing device. The Surface Web URL is; the Onion
speech was http://msydqstlz2kzerdg.onion. The Ahmia code is an open
source project with a repository on GitHub.
Ahmia, operated from Finland, bills itself as a “search engine for solu-
tions resident on the Tor anonymity network.”
The system does not maintain Internet Protocol filters and logs results
to knock out child abuse hyperlinks.
The system is integrated with GlobalLeaks and Tor2Web.
The system was created by JuhaNurmi, who is the chief executive of
the Finnish company Dignify Ltd. ( Dignify offers data
mining and cyber security research providing information about drug
markets and other law enforcement issues.
At the top of the splash screen is a link to “Statistics.” The informa-
tion, when it is available, is helpful. The index contains links to about
5,000 DarkWeb sites. hmia was a 2014 Google Summer of Code project.
The goal was to improve the Ahmia system.
In July 2015, Ahmia published a list of Websites which were made to
collect traffic from “real” Dark Web sites. In the summer of 2016, Ahmia
has been offline more than it has been online.
4 Conversations in Cyberspace


Grams is situated at http://grams7enufi7jmdl.onion. One enthusiast

clarified Grams as “the Google of the Dark Web.” In a 2014 interview,
a Grams’ system administrator said Grams utilizes a proprietary search
technology which displays results from e-commerce websites as well as
other kinds of Dark Websites.
Users can add websites to the Grams system for indexing and inclu-
sion in the system.
Grams does not support index child pornography. The process is
operated by what appears to be an Eastern European digital money ser-
vice. Grams offers unique attributes; for instance, a vendor and product
search, and the user-friendly Flow, which enables the use of plain English
to locate a specific Dark Web site. In 2015, the study team used Grams to
find Pappy Van Winkle whiskey after a major shipment was stolen.
The lack of relevance underscored the issues Grams poses to an
Grams does a fantastic job of pointing a researcher to complete, free
books available on Dark Web websites.
The service does an excellent job of indexing medication-related sites.
With the inclusion of the Flow service, it is easy to locate specific Dark
Web sites provided that the investigator knows the title of the site.
I have found that Grams was able to yield useful results, but its inclu-
sion of irrelevant, off-topic results generated manual inspection of the
result pages necessary. Used in concert with other Dark Internet search
systems, Grams is acceptable.

Not Evil

Not Evil, located at https://hss3uro2hsxfogfq.onion, is a re-branding of

TorSearch and Evil Wiki. The links are filtered. The relevance algorithm
takes into consideration what users click on. Not Evil’s operator keeps a
low profile. The service does not accept DarkWeb advertising. The system
allows a user to start a secure conversation with another not Evil user with
a chatbot identified as “Ned,” an acronym for not Evil Drone. The not
Evil system includes a “chat” function from inside Tor. One can begin a
Introduction 5

conversation about a query using a chatbot or an anonymous user. Also,

not Evil displays the number of items in the index which match the query.
Along with the search, the system provides the number of links the not
Evil system has indexed. Finally, not Evil provides an application pro-
gramming interface so that not Evil’s performance can be integrated into
other applications.

Onion Link

Onion Link can be found at Why is this Dark Web

search system interesting is that it appears to use the Google custom
search function as well as the Ahmia index to create results? The index
comprises links to approximately 20,000 Dark Web sites, depending on
the study analysis of Onion Link search results. About six years back,
Google operated a Dark Web site, then that website was taken offline.
Since that time, Google has not revealed information about its Dark
Internet activities. Google did invest in Recorded Future, a company
which indexes Dark Internet content. One hypothesis the study team
devised was that Google might index some Dark Web content for its
research and to support the work of their Google-backed Recorded
Future. In late 2016, Google’s indexing of glue websites decreased based
on our evaluation queries.


The Torch search system presents a search box, Dark Web advertising,
and a link for people wanting to advertise on the Torch system. Notice
that when this screenshot was taken, Torch reports that its index contains
about 500,000 Dark Web pages, which is about one-third fewer than in
other Dark engines. Torch is one of the lower profile Dark Web search
programs. One useful feature of the system is term highlighting. The rel-
evancy score produced by the search system makes it easy to spot the
frequency of the terms in the indexed site. Results list entries reveal a date
where the Torch indexing subsystem visited a site. Torch Dark Web search
can be useful. We recommend using it from inside a sandbox.
6 Conversations in Cyberspace

Free Search Methods

Free Dark Internet search methods provide convenient, easy access to

many Dark Web sites. However, none of the systems is without serious
shortcomings. The approach I have developed involved crafting a query
and then running that query on the five search systems discussed in this
chapter. I then downloaded the first five sets of results and merged them.
I then visited the Dark Websites which seemed to be most relevant to
the specific issue we were investigating. What is obvious is that the time
and effort needed to carry out manual queries and results analysis was
a ­burden. There are commercial Dark Internet search systems available
to law enforcement, security, and intelligence professionals. Commer-
cial Dark Web search services from Digital Shadows, Recorded Future,
and other businesses provide more useful, timely, and accurate DarkWeb
search results.

Deep Web Tools

Software like operating systems and popular applications like Web brows-
ers have defects. Programmers can use these issues to put software on a
computing device.
The software can arrive via a downloadable file like an image or a
Other malware—the typical term for malicious software—offers
to install a program, a file, or an image that carries a payload; that is,
malware that the unsuspecting user knows nothing about. The malware
compromises the user’s computing device or a server. The capabilities of
exploits and malware are becoming broader and evolving quickly.
One reason is that compromising a user’s computer before the data
are encrypted sidesteps the barrier of data which must be decrypted.
Additionally, software on a user’s computer or a Dark Web site’s server
eases intercepting traffic and eliminates the need for physical access to a
user’s device.
Terminology can be confusing. Hacking tools are called security
suites, penetration testing (pentest) software, or malware.
No matter their labeling, many of these hacking tools in the hands of
a programmer can shine a bright light on Dark Web activities.
Introduction 7

The software can be utilized in many ways. The study team has identi-
fied three widely-used approaches to the use of hacking tools.
Depending on the resources available to an investigative team, the
specific solution implemented can include software created by a team
member or the department. In several associations, exploit tools are
licensed from sellers.
The researchers can deploy the software, often working with the ven-
dor’s engineering team. For some instances, a department or investigative
team may contract with a third-party firm such as Northrop Grumman or
BAE Systems to deal with the work. Malware takes many forms.
Many Deep Web/Dark Web passive collections methods and tools are
available. These range from placing the needed code within a computer’s
operating system or applications to putting malware into the firmware of
the computing device. Even though the latter is a more laborious method,
some malware cannot be removed or disabled even if the device’s memory
is erased and a new copy of the operating system installed.
A covert surveillance technique is to set up the malware via a Dark
Web session. Many Dark Web users assume their Tor or I2P Dark Inter-
net surfing can’t be compromised. That’s incorrect. Once the malware
is put on the user’s computer, the software can intercept and transmit
the Dark Web user’s information. The Dark Web user’s information is
transmitted via the Surface Web to avoid the requirement to have spe-
cial software running on the Dark Internet user computing device. Once
installed, the malware conducts its activities invisibly and without chang-
ing the lousy actor’s computer in a readily visible way. The advantage of
this approach to surveillance is that encryption doesn’t pose a problem
to the investigator. The user’s keystrokes are recorded. The data aren’t
encrypted because the malware captures the Dark Internet user’s key-
strokes and saves this unencrypted data. An investigator can recreate or
“watch” a Dark Web user session. Some malware allows the investigator to
start an e-mail, send messages, and initiate transactions without the Dark
Web user’s knowledge.
The “spoofing” technique utilizes a collection method based on an
investigator operating a Dark Internet or Surface Web website. We use the
term “spoofing” to refer to an exploit or a set of exploits designed to trick
a Dark Web user into visiting a Dark Web site operated by researchers or
8 Conversations in Cyberspace

to supply data to an application or form created by law enforcement to

capture personal details. Many variations are available, and new ones are
usually introduced. The data input to the spoofed or captured Web site
is accessible to the investigator in real time and an unencrypted form.
Which Dark Websites are operated by law enforcement? Which are run
by bad actors? The research team got a list of about 150 Dark sites which
exist in more than one form. A captured Web site could exist online using
a distinct Dark Web Onion address. One strategy is to request a secondary
and primary e-mail address, a phone number, or a primary and alternate
shipping address for orders placed via the site run by law enforcement.
More sophisticated methods involve creating mobile applications which
appear to be Dark Web applications.
The “multiple exploits method” makes use of a Dark Web site under
the control of the investigative team, different infection vectors (forms,
applications, E-mail, and so on), and viruses that may migrate from a
lousy actor’s computer to that of another person known to the bad actor.
Hybrid methods can use applications which spreads through n ­ etworks.
This approach may combine remote-access management of the bad actor’s
computing device with software designed to perform ­specific actions
when the user of the compromised device is using Signal, an encrypted
messaging program, or producing videos for distribution and sale.
If the compromised computer is utilized to keep a Dark Website, the
malware can insert itself into the host server and perform specific actions
on that remote server. Combined methods make it possible for an investi-
gator to gain access to one or more servers on a network and obtain infor-
mation germane to a violation of the law across two or more computing
devices and their networks.


Citadel is an example of a software bundle which includes many fea-

tures to compromise the Dark Internet user’s computer. In 2012, based
on, Citadel’s developers offered a variant of this Zeus Tro-
jan as a software-as-a-Service. Citadel is essential since it is an example
of an exploit which works from the cloud. The change to cloud-based
tools affords many benefits. These include rapid scaling when an exploit
Introduction 9

succeeds in using digital currencies to help obfuscate the consumer of the

exploit. Citadel also contains a social network component.
The consumers of Citadel can contribute new code modules, submit
bug reports, and discuss technical issues with other Citadel users. For
law enforcement and intelligence specialists to take advantage of Citadel,
technical expertise and experience with the software are crucial. Citadel
offers different encryption choices.
The software requires a specific botnet key to download malware
updates and configuration files, in the hope to not be discovered by track-
ers. Citadel blocks the choice to download anti-virus and anti-malware


Established in 1990, ElcomSoft Co. Ltd is a privately owned c­ ompany

headquartered in Moscow, Russia. Since 1997, ElcomSoft has been actively
developing solutions for digital forensics and IT security businesses.
Today, the company maintains a wide range of cellular and computer
forensic tools, corporate security, and IT audit products. ElcomSoft prod-
ucts are used by several Fortune 500 corporations, multiple branches of
militaries all over the world, police departments, governments, and sig-
nificant accounting businesses. A complete suite of ElcomSoft password
recovery tools enables corporate and government customers to unprotect
disks and systems and decrypt files and documents protected with widely
used software. ElcomSoft’s password recovery applications are fast, but
speed depends upon the computer itself and other factors.
The password recovery software makes it easier to access password-­
protected files in Microsoft Office, Adobe PDF, Zip, and RAR formats.
Like most high-end video processing and gaming applications, ElcomSoft
uses the video card graphics processing unit to rate some calculations.
With the computational load shared between the CPU and the GPU,
the time required to recover a password for a protected file is reduced.
In addition to the password recovery tool, ElcomSoft offers a Foren-
sic Disk Decryptor, which offers investigators a fast, easy way to access
encrypted data stored in crypto containers created by BitLocker, PGP,
and ­TrueCrypt (now discontinued). ElcomSoft can decrypt the entire
10 Conversations in Cyberspace

content of an encrypted volume by mounting the volume as a drive letter

in unlocked, unencrypted mode.


EnCase has developed among the go-to forensic solutions for a seized
device or computer. The program makes it possible for investigators to
acquire data and create reports from a wide assortment of devices. Foren-
sic includes a search function to make it easy to ascertain whether par-
ticular information is on a device. Forensic can gather information from
a range of sources; for example, Webmail, chat sessions, backup files,
encrypted files, and smartphones and tablets.
A programmer can use a the Forensic scripting language, EnScript,
to automate processes. Search, and investigation or other labor-intensive
tasks can be customized using EnScript, which is similar to Java or C++.
Forensic generates US court-accepted file formats to validate the integrity
of the evidence collected. The system supports most basic file and oper-
ating systems. Forensic integrates with optional modules for processing
virtual file systems and performing decryption tasks.

Kali Linux

Kali includes over 300 pre-installed tools. Combined with Metasploit,

discussed in the following, an investigator with appropriate computer
skills can compromise Dark Web users and then make additional inroads
into a suspect computer, storage, or mobile device.
Applications acceptable for law enforcement and intelligence work
include SQL injection, and denial of service attacks, among others.
SQL injection is a sort of web application security vulnerability in
which an attacker can submit a database SQL command that is imple-
mented by a Web application, exposing the back-end database. Kali allows
manual methods when access to a user’s computer or a server is possi-
ble. Kali allows the attack to be mounted using SQLMap, another open
source tool. SQLMap simplifies the process of detecting and exploiting
SQL injection flaws and carrying over database servers.
Introduction 11

Data retrieval from the database and access to the underlying file sys-
tem is supported. Kali may also be used for blind SQL injection. In this
approach, one decides whether a Dark Web site is vulnerable to SQL
injection. If it is, a programmer can probe the website to find a database’s
tables, columns, and records. Once the probe returns a positive result,
the programmer can write scripts that iterate through possibilities. Code
samples are provided to assist the programmer in using Kali as a stage
for blind SQL injection for a single Web site or a group of Web sites of
interest to the investigator.


Analyzing relationships and displaying the mallows a bird’s-eye view of

individuals, companies, events, and other entities. The essential notion
is that visualization of relationships allows the investigator or analyst to
look at information and its interconnections. Instead of pouring through
a table of numbers, the Maltego user can spot potentially significant items
in chunks of information; for example, linking a telephone number with
an e-mail address. Maltego is free for individual users, and the commer-
cial permit fees are a fraction of those for systems available from BAE,
IBM, and other firms. You might have seen high-impact visualizations
such as this sentiment analysis Twitter messages.
Maltego processes text to recognize and indicator entities such as a
domain name, an individual, a company, a phone number, or an e-mail
address. The Maltego System uses “transforms” (statistical procedures
which relate entities of one type to another type). The outputs provide
an intuitive, speedy method to locate specific information, see necessary
connections and research individuals who access the Dark Web. The sys-
tem can generate from content the personal e-mail addresses of people
working at a particular government agency.


Metasploit is a collection of hacking software which was initially an open

source hacking tool built on the Metasploit Framework.
12 Conversations in Cyberspace

The hacking tool contains hundreds of modules (software programs).

Remote exploits allow the Metasploit programmer to develop applica-
tions which can exploit vulnerabilities in browsers, operating systems,
and third-party applications like Adobe Flash. The FBI developed its
Torpedo applications with Metasploit. The approach utilized by the FBI
appears to have exploited Adobe’s Flash software. The FBI created a direct
connection over the Web; that is, outside of Tor. This link became a path-
way for the FBI to collect information about a user.


Nmap, or Network Mapper, is a free and open source (license) utility for
network discovery and security auditing. Some technical specialists find it
useful for tasks such as network inventory, handling service update sched-
ules, and monitoring host or service uptime.
Nmap runs on Linux, Windows, and Mac OS X. It ranks among the
top 10 programs on Fresh-meat. Net repository, which contains more
than 30,000 programs. The primary goals of this Nmap Project are to
help make the Internet a bit more secure and to supply administrators/
auditors/hackers with an advanced tool for exploring their networks.
Because the complete source code is available, developers can modify
Nmap to perform more specialized functions. Nmap processes raw IP
packets to determine what hosts are available on the network, what ser-
vices those hosts are offering, what operating systems (and OS versions)
are running, what types of packet filters/firewalls are in use, and dozens
of other features.
Nmap involves a command-line Nmap interface in addition to a
graphical user interface and results in a viewer (Zenmap), a flexible data
transfer, redirection, and debugging tool (Ncat), a utility for compar-
ing scan results (Ndiff), and a packet generation and response analysis
tool (Nping).
Nmap is flexible: It supports dozens of innovative techniques for map-
ping out networks full of IP filters, firewalls, routers, and other obstacles.
This includes many port scanning mechanisms (both TCP and UDP),
operating system detection, version detection, ping sweeps, and much
more. Nmap has been used to scan large networks spanning hundreds
Introduction 13

of thousands of machines. Nmap is one of the more thoroughly docu-

mented forensics tools.
A guide, tutorials and white papers can be found, as well as a devel-
oper mailing list (nmap-dev) and a channel on Freenode an EFNet in
Open source software is free and supported by a community of users
and developers. There’s some Dark Web-related applications on GitHub
and SourceForge, and you will find freelance programming solutions
which make programmers with hacking experience available for hire.
A  helpful list of Dark Web-centric software was compiled for public
access by the Defense.

Advanced Research Projects Agency (Darpa) in http://open-catalog. The software was created by researchers, uni-
versities, individuals, and commercial organizations. The software wasn’t
designed to be downloaded and used as a program for an Android or
iPhone device. In most cases, the user was assumed to be a programmer.
The program or its constituent elements are no longer publicly avail-
able for download via the DarpaMemex directory page. If you find one
of the Memex apps, you have the task of assembling the code into oper-
ational programs or weaving a module to another piece of software. In
Annex 1 to this study, we provide a listing of some of the Darpa Dark
Web software through the centre of 2016. The majority of the programs
were a part of DARPA’s attempt to create a Google-type search system of
Dark Web content.
The Memex Project was in its third year in 2016, and detailed infor-
mation regarding the program isn’t generally available, the data which is
available on the Surface Web is fragmentary.
A Few of the apps from the 2016 Darpa directory includes Dossier
Stack, Formasaurus and HSProbe.
Dossier Stack is smart software delivered in the form of a library.
A program taps into the library to perform certain entity-centric oper-
ations. Entities can include people, places, names of businesses, aliases,
and other vital signifiers. The Dossier Stack enables a programmer to
14 Conversations in Cyberspace

construct active search applications. These can learn what users need by
monitoring and capturing their actions. The developer’s commercial soft-
ware makes it possible to mine vast flows of information and connect
entities utilizing probabilistic inference algorithms. The programmer is
Diffeo, a startup founded in 2012 that draws on experience from MIT
and MetaCarta founder John Frank.84One area of interest for the firm is
scraping the Web and creating knowledge graphs for unique entities. The
idea is to refine in a more educated way the relationships among people,
places, organizations, and named things. Diffeo integrates Basis Tech’s
language tools and uses SAP’s in-memory database technology.
Formasaurus is a software component which provides information
about form on a Web page. The python package decides whether the
way is log-in, search box, registration, password recovery, mailing list,
or a contact form. The system uses machine learning, so the precision
of this component output increases over time. Hyperion Gray is the
programmer of additional Memex modules, including Frontera (a Web-
crawl p­ rioritization routine) and Scrapy-Docker hub, apart for managing
indexing program.
Tor Hidden Service Prober HSProbe is a multithreaded python
application. The software makes use of Stem, a python controller library
for Tor. Stem allows the program to use Tor’s control protocol to script
against the Tor process or build components which can determine the sta-
tus of Tor hidden services and extract hidden support material. HSProbe
was designed to make use of protocol error codes to decide what action to
take when a covered service isn’t reached. HSProbe tests whether specified
Tor secret services (Onion addresses) are listening on one of a range of
pre-specified ports.
Additionally, the program ascertains when the secret services are com-
municating over other protocols. The programmer/user provides a list
of Onion addresses to be probed, and HSProbe outputs a list of results.
Because the Dark Web offers encryption, it’s perceived by Tor users to pro-
vide more anonymity than the Surface Web. Encryption can be broken.
With significant computing resources, most researchers will find
that encryption with 256, 512, or 1024 bit keys aren’t breakable. When
faster or more advanced computers are available, speedy decryption may
become the norm.
Introduction 15

At this moment, an investigative team asking computer scientists to

crack Dark Web encryption might be not able to read individual messages
or transaction data.
Other tools worth mention are FinFisher, DaVinci and Galileo,
­Canvas, and Pegasus.
The FinFisher tools perform remote monitoring and remote access
management. In a nutshell, the FinFisher malware is installed on a target’s
computer through an exploit; for example, the target downloads a Micro-
soft Word file that contains FinFisher code.
A goal may fall prey to an Adobe Flash exploit or an e-mail file with
an attachment containing the FinFisher payload. Fin-Fisher can also mas-
querade as legitimate software, such as Firefox.
Essential functions include lawful interception and monitoring,
Internet monitoring, blocking, information technology intrusion, satel-
lite tracking, mobile tracking and location, passive tracking of landlines,
SMS interception, speech recognition, link analysis, and radio frequency
tracking, amongst others. Licensees of FinFisher tools include Britain,
Qatar, United Arab Emirates, and America.
Company Hacking Team grows DaVinci and Galileo. Hacking
Team’s applications, according to some reports, is utilized by the US
­Federal Bureau of Investigations. Hacking Team’s rootkit installs the Gal-
ileo remote control system (RCS).
The malware can be fixed if the investigator has access to a person
of curiosity’s computer when a suspected bad actor crosses a boundary.
HackingTeam’s tool consists of code to boot into a shell program and
insert the rootkit. Hacking Team’s surveillance suite for political intercep-
tion of digital information might be detectable by anti-virus programs,
but when removed, the firmware component reinstalls the rootkit. The
company’s rootkit software is malware. The feature of the tool is to embed
instructions in the computing device central input operating system or
“Unified Extensible Firmware Interface” (UEFI). Hacking Team’s soft-
ware approach isn’t eliminated when the computing device’s hard drive is
replaced, and a fresh operating system is installed.
Hacking Team’s method pulls merely the code from the UEFI and
reinstalls the surveillance module when the computing device is rebooted.
Hacking Team’s software works on computers produced by Acer, Dell,
16 Conversations in Cyberspace

Hewlett-Packard, Lenovo, and Toshiba, among others. 128 The software,

once installed, can forward the data generated by the user, Webcams, and
other applications. This information is then uploaded to servers for addi-
tional analysis.
Canvas provides tools to tackle some exploits supported by the frame.
Government agencies can use the structure to develop solutions to severe
problems. These range from identifying a weakness in servers suspected
of hosting secret solutions to finding gaps in computing devices seized
by investigators. The business also provides consulting and engineering
services to non-profit, and government organizations.
In a 2008 white paper, Aitel identified many of those security prob-
lems which are making headlines today. The 2008 document also antic-
ipated the Snowden document release, the hacking and subsequent
distribution of Hacking Team’s applications, the occurrence of issues that
make breaches like those in the Office of Personnel Management possi-
ble, and the exponential growth of vulnerabilities. Canvas is a package
of ­software that equips investigators with offensive ability. The Canvas
framework is easy to use with an interface which makes the rich func-
tionality of the applications accessible to an investigator. The Canvas
approach is to provide the investigator with a graphical workspace. The
Canvas framework allows new polymorphic techniques to be developed
that require chip emulation. Advanced exploits become more accessible
to create and maintain.
NSO Group is a unique company in the field of Internet security soft-
ware solutions and security research (
The company’s Pegasus software attracted attention after rumors cir-
culated that the FBI recruited NSO to hack an iPhone utilized by the
San Bernadino terrorists. Pegasus can intercept data sent to and from the
telephone; for example, Gmail, Facebook, WhatsApp, and Skype infor-
mation, amongst others. The NSO approach is to rely on a streamlined
architecture that uses mobile phone networks and the international Inter-
net backbone. The authorized licensee of the NSO Pegasus system or
NSO’s engineers put up a Pegasus workstation. The workstation interacts
with the secure Pegasus installation server.
Introduction 17

The licensee or a third party puts content containing a “stub” in a

document, video, form, or another sort of file. The bad actor downloads
the “stub,” and the Pegasus installation server places the difficult-to-­detect
exploit software on the bad actor’s computing device. Once this step is
done, the Pegasus server receives information uploaded by the poor actor’s
computing device. The Pegasus licensee can then interact with the knowl-
edge and take advantage of the many tools which Pegasus includes; for
instance, geo-location of the bad actor’s device.

iPhone update: Who is the mystery company behind malware hack?. https://
Order ElcomSoft Password Recovery Bundle online.
A1d3n ANRG. See Advanced Network
AES, 105, 106 Research Group (ANRG)
BTC address, 105 AOL Instant Messenger, 88
CloudFlare, 111 AOL policy, 88
creepypastas, 114 APT. See Advanced persistent threat
deep web hosting, 107–109 (APT)
DW chats/IRCs, 105–107, 111 APT28, 94
gpg warning, 113–114 ASTM Ellan javascript HP, 34
hacktivists/activists encounter, Asymmetric cryptography, 98
111–113 Asymmetric encryption, 98–99
KIST algorithm, 113, 114 Atlayo, 84–85
mobile devices, 115–117 A1d3n, 104–117
non-JS webchats, 115 Mr. Security, 84–96
OMEMO plugin, 107
onion directories, 110 Backdoor, 57, 58, 120
ooniprobe project, 114 BAE Systems, 7
Penetration Testing Linux Behavior patterns, 39
distributions, 110 Big data methods, 22–23
PHP-based chats, 107, 111, 115 Biometrics, 38
privacy hacktivist, 104 Bitcoin-based drug dealing site, 59
Qubes, 110 BlackArch, 110
terms and conditions update, Black-hat, 64, 74, 84
technology companies, Blowfish, 98
108–109 Botnet, 9, 19, 24
3DES, 105, 106 Brave browser, 109
Tor/I2P, 109 Brute force, 102,
VPN, 113 BTC pipeline, Turkey, 126–127
VPS, 109
Advanced Encryption Standard Caesar cypher, 101, 102
(AES), 97, 100 Canvas tools, 16
Advanced Network Research Group Chinese cyber espionage, 27
(ANRG), 21 Chip-off, 139
Advanced persistent threat (APT), Cicada 3301, Th Stg
1, 21 Anonymous and Wikileaks, 79
AES. See Advanced Encryption Book of Enoch by John Dee, 80
Standard (AES) Da Vinci code, decipher key, 84, 108 Dawkins fascination, 81
Ahmia search system, 3 enlightenment, 80
AI, 83 ESP and SSP perception, 80
Anonymous, 79 human ego, 81
Anonymous online, 36–39 “human hybrid” access, 80
160 Index

imagination and pilgrimage, 79 VPN, 42

language, 79, 83 Cyber Security Assessment and
morphogenetic fields, Sheldrake Response (CyberSAR) project,
concept of, 81 20–21
open education messages, 81 participants, 26
PGP encrypted messages, 82
privacy, definitions of, 78 Dark Internet, 2
self-reliance and privacy Dark net
preservation, 77–78 ARPA, 57
Simulacra and Simulation by Jean vs. dark web, 55
Baudril, 80 vs. deep web, 31–36
Sumerian myth, 80 for good, 57–58
technological renaissance, 76, infiltrate, 58–59
82–83 intelligence, 58–59
technology with imagination, 82 Dark web, 2
work of Bruno Borges, 79–80 Ahmia, 3
C2 infrastructure, 25 vs. dark net, 55
Citadel, 8–9 Free Search Methods, 6
Clearnet, 1 GitHub and SourceForge, 13
CloudFlare, 111 Grams, 4
Club Hell, 96–97 hacking tools, 7
Colonel Gardner, 124, 126 Hidden Wiki, 2–3
Commodity threats, 25 hybrid methods, 8
Comparison interrupted time series KelvinSecTeam, definition by,
(C/ITS) analysis, 23 54–55
Conficker, 130 mobile applications, 8
Cozy Bear, 94 multiple exploits method, 8
Cracking, 37, 90, 100 Not Evil, 4–5
Crossover cable, 74 Onion Link, 5
Crowdstrike, 94 SQL injection, 11
Cryptanalysis, 102 Surface Web and Dark Internet
Crypto websites, 2, 7
containers, 9 threat intelligence, 55–56
jacking, 25 actuarial mathematical science,
Cryptography, 104 63–64
asymmetric, 98 Amber Alerts, 63
primer, 96 catch rate, 61
symmetric, 97 degree of rigor, 63
wireless, 100–101 immediate value and security
A Cryptography primer, 96–97 growth, 59–60
Cybersecurity insurance companies, 63
of civil society organizations, 23 intelligence programs, 61–62
CrowdStrike, 118 intrusion prevention services,
digital hygiene, 26 61
epidemiology paradigm, 24 mathematical sophistication,
market, 63 63
NGOs, 26 meta information, 62
public health interventions, 23–24 return on investment, 61
sliding scale, 136 risk scoring, 63
Index 161

scans and trends, 62 Domain Name Service (DNS)

vulnerabilities and attack firewall, 25
information, 62 leaking, 52–53
Torch, 5 traffic, 24
traffic tracking, 59 Dossier Stack, 13
user’s information, 7 Dot onion sites, 48, 50
DarpaMemex directory page, 13 Dragonfly 2.0, 130
DARPA’s Memex search tool, 110 DuckDuckGo, 112
Darpa software, 13–17
Data compression, 65
ECC. See Elliptical curve
Da Vinci code, decipher key, 84
cryptography (ECC)
DaVinci tools, 15
EFNet, 13
Dawkins fascination, 81
ElcomSoft, 9–10
DDoS. See Denial-of-service attacks
Elliptical curve cryptography (ECC),
Debian Linux, 77
e-mail, Mr. Security, 84–96
DeepPeep, 108
DeepSound, 67 EnCase, 10
Deep web, 1 Encryption, 7, 39, 52, 103, 104
anonymous online, 36–39 AES, 106
Citadel, 8–9 algorithms, 101, 102
vs. dark net, 31–36 asymmetric, 98–99
ElcomSoft, 9–10 Citadel, 9
EnCase, 10 communication, 112
hacking tools, 6–7 data, 41, 65
hybrid methods, 8 Dark Web, 14–15
Joseph definition, 27 DeepSound, 67
Kali Linux, 10–11 deficiency of, 85
Maltego, 11 e-mail, 42
malware, 6, 7 end-to-end, 41, 42, 106
Metasploit, 11–12 hashes, one-way encryption,
Nmap, 12–13 99–100
“spoofing” technique, 7 keys, 42, 106
Deep Web Technologies, 108 rating, 116
Denial-of-service attacks (DDoS), 119 Steghide, 66
DES, 97 symmetric, 75, 97–98
Dictionary attack, encrypted traffic, 41
passwords, 89 Website, 49
Diffie-Hellman, 98 wireless, 100–101
Digital certificate, 140 End-to-end encryption, 41, 42, 106
Digital hygiene, 26 EU biometrics, 39
Digital Insecurity in Context, 22 Evil maid assault, 141
Digital security environment, 25 Evil Wiki, 4
Digital steganography, 64, 65 EXIF data, 72
Digital threats, 25 EXIF Spider attack, 72
DNC, 93–96 Exploit, 6, 9, 10, 16, 62, 134
DNS. See Domain Name Service Adobe Flash, 15
(DNS) Canvas, 16
Documented attacks, 25 cool, 128
162 Index

difficult-to-detect exploit software, Hacker, 1, 12, 36–37, 88, 91, 92

17 advertisements, 111
multiple exploits method, 8 educating and training groups of,
remote, 112 67
spoofing, 7 GmrB (see Glorious MrBeast
vulnerabilities, 12 (GmrB))
Eyeball scanners, 38 hiring, 74–75
Internet service provider vendors,
Facebook, 28 44
Face scanners, 38 non state, 42
Fancy Bear, cyber espionage group, Russian, 95
84, 93, 94 sophisticated hacker classes, 95
FinFisher tools, 15 targeting DNC, 93
Fingerprint scanners, 38 Hacktivist, 1, 104, 111
Forensics, 10, 122 Hash algorithms, 99
digital, 9 Hashes, 99–100
Nmap, 13 Hashing, 97, 99, 100
Formasaurus, 14 HEX, 75
Free Dark Internet search methods, Hidden Service Prober (HSProbe),
6 14
Freenet, 34 Hidden services, 48, 50, 51
Hidden-Web crawler, 108
Galaxy9 Hidden Wiki, 2–3, 96
DeadWarrior420, 27–54 HSProbe. See Hidden Service Prober
GmrB, 64–74 (HSProbe)
hiring hacker on, 74–75 HTTP/SSL/TLS, 142
KelvinSecTeam, 54–64 “Human hybrid” access, 80
Galileo tools, 15
GCHQ, 141 iCloud/Google, 116
GhostNet, 19 Industrial Computer Systems (ICS)
The Glass Bead Game, 80 malware
Glorious MrBeast (GmrB) BlackEnergy, 2014, 119
data encryption, 64–65 BlackEnergy 2, 2014–2015, 119
DeepSound, 67 facts vs. myth (see Robert M. Lee)
digital steganography, 64, 65 Havex, 2013, 118
LSB process, 65 Industroyer/Crash Override, 2016,
nMap, data extraction, 72–74 120
PasteBin, 64 Stuxnet, 2010, 117–118
reconnaissance tools, 67–72 Triton, 2017, 121–122
Steghide Industrial control systems (ICS), 1
example, 66 Information Security Consortium, 62
installation, 65–66 Infosec, 122
stenography, 66–67 Internet private investigative
WAR file upload, 74 (Internet PI), 56
GmrB. See Glorious MrBeast (GmrB) Interrupted time series (ITS) analysis,
Google-backed Recorded Future, 5 23
Grams, 4 Intute, 108
Guccifer 2.0, 95 I2P Dark Internet, 7
Index 163

Jailbreak, 142 Russian IP address, 124–125

Sam worm, 130
Kali Linux OPS, 1, 10–11, 65, 110 skating environment, hijack, 133
Kernel Informed Socket Transport Staples Center, 124
(KIST) algorithm, 113 tradecraft and capabilities, 137
KeyPass backup, 116 Ukraine power grid attack, 122,
Keys, 14, 98, 101 132
decryption, 42, 102 Linux, 12, 52
encryption, 42, 106 Debian, 77
long, 105, 106 Kali, 1, 10, 65, 110
registry, 120 nMap, 74
school, 45 Penetration Testing, 108, 110
Lulz, 143
Least significant bit (LSB) process, Maltego, 11
65 Malware, 6–8, 15, 58, 90
Lee, Robert M. (ICS) anti-virus and anti-malware tools, 9
accidental attack, 138 attacks, 22, 24, 25
APT, 128 ecosystems, 21, 24
BTC pipeline, Turkey, 126–127 FinFisher, 15
circuit breaker system detection at NGOs, 21
vulnerabilities, 135 families, characterization, 24–25
Colonel Gardner, 124, 126 ICS (see Industrial Computer
conficker and slammer, 130 Systems (ICS) malware)
Crash Override, 130, 133, 138 sample collection, 59
cyberspace warfare operations Stuxnet, 99
officer, 122 updates, 9
DDD ports, 125 Man-in-the-middle, 143
Defence, 136 MD4, 100
defender and intelligence analyst, MD5, 100
123 Memex Project, 13
Dragonfly 2.0, 130 MetaCarta, 14
Dragos, Inc., CEO and founder Metadata, 95, 108
of, 122 Metasploit, 11–12
education, 122 Monas Hieroglyphica, 80
e-mail servers and skate Morphogenetic fields, Sheldrake
environments, 129 concept of, 81
HDMI communicates, 135 Mr. Security, 84–96
ICS network protocols, 134 MVP ends, 37
Iranian nuclear reactors, 129
IT security best practices, 137 Network Mapper (Nmap), 12–13
Norse cyber attack, 125 NIST, 97
operational risk, 128–129 nMap, data extraction, 72–74
Passcode’s “Influencers,” 122 Nonce, 144
physical engineering process, 131 Non-Windows hacker tools, 119
power grids failure, 123 Norse cyber attack, 125
ransomware, 128, 131 Northrop Grumman, 7
Russian cyber attack, 126 NotEvil, 4–5, 108
164 Index

NSA radar, 35 RCS. See Remote control system

NSO Pegasus system, 16 (RCS)
Reconnaissance tools, 67–72
Offensive security, 1 Red team, 128
Off-The-Record (OTR) plugin, 107 Regular phishing, 75
Onion Link, 5 Remote access tool (RAT), 118
Open-source intelligence (OSINT) Remote authentication server
tools, 1 (RADIUS), 100
OpSec, 144 Remote control system (RCS), 15
Rivest, Shamir, and Adleman (RSA),
ParrotSec, 110 98
Passcode’s “Influencers,” 122 Robots, 28–30
Password cracking, 90 Root, 29, 82, 127
Password managers, 144 Rootkit, 15
Pegasus software, 16–17 RSA. See Rivest, Shamir, and
Penetration Testing Linux Adleman (RSA)
distributions, 108, 110 Russian cyber attack, 126
Penetration testing (pentest) software,
6 Salting, 147
PGP. See Pretty Good Privacy (PGP) Sam worm, 130
PGP encrypted messages, 82 Sandworm, 119, 120
Phishing Script kiddies, 138
attack, 25, 90, 90, 93 Search engines, 2–6
e-mail, 88, 89, 92, 94, 132 SecDev Foundation, 19
message, 93 SecureWorks, 93
spear-phishing, 75, 84, 90, 93 Security budget, 60
PKI. See Public essential infrastructure Security suites, 6
(PKI) SHA1, 100
Plaintext, 103 ShadowNet, 19
Podesta emails, 84, 85, 96 Shodan, 147–148
Pretty Good Privacy (PGP), 9, 82, 84, Side channel attack, 148
98, 99, 113 Signature, 99, 104, 111
Protonmail, 42 Slammer, 130
Public essential infrastructure (PKI), Smoking Gun, 96
99 Sniffing, 148
Pwned, 145 Social context, 25
Social engineering, 25
“Quasi- experimental” design, 23 Spear-phishing, 75, 84, 90, 93
Qubes, 110 Spiders, 28
Spoofing technique, 7, 94
RADIUS. See Remote authentication Spyware, 52
server (RADIUS) SQL injection, 10–11
Rail fence cypher, 101 SQLMap, 10
Rainbow table, 146 Startling, 40
Ransomware, 22, 128, 131 Startpage, 112
RAT. See Remote access tool (RAT) State actor, 149
RC4, 98 Steganography, 64, 65
Index 165

Steghide Tor Project dot org, 49

example, 66 traffic analysis, 46
installation, 65–66 Trilla, 47
Stenography, 66–67 Triola, 47
Straight cable, 74 U.S. Naval Research Laboratory, 45
Substitution-permutation networks, Tor Browser Bundle, 50
103–104 Torch search system, 5, 108
Surface Web, 2 TorSearch, 4
Symmetric cryptography, 97 Traffic analysis, 104
Symmetric encryption, 75, 97–98 TTI. See Targeted Threat Index (TTI)
Two-factor authentication (2FA), 90,
Tails, 50, 52–54 92
Targeted Threat Index (TTI), 25 Twofish, 98
TCAP IP protocols, 32, 37
TCP, 75 UCLA, 108
Technological renaissance, 76, 82–83 UDP, 75
Telegram’s Super Secret Chats, 116 Unified Extensible Firmware Interface
The Unknowns, 84, 96 (UEFI), 15
Threat Intelligence providers, 58–59 US presidential campaign, 85–96
Threat model, 25, 39, 42, 43
3DES, 97 Verification (ditch), 151
Th Stg. See Cicada 3301, Th Stg Vigenere, 101
Token, 150 Virtual private networks (VPNs)
Tor A1d3n, 113
anonymity, 33–34 Black Eyed Peas Tor, 44
BitTorrent, 46 browsing history, 39–40
Black Eyed Peas, 44 Cammi, 43
browser, 34, 49, 50 confidentiality, 40, 41
cloud, 34 corporate privacy protection, 41
CNN dot com, 46–47, 50 data encryption, 41
cracking, 38 Eidi, 44
darknet, 35–36, 51–52 government’s surveillance, 43
definition, 45 IP address, 39
dot onion sites, 48, 50 ISP advertisers, 42
geolocation with IP addresses, 46 jurisdiction, 43
hidden services, 48, 50, 51 Kamm’s system, 39
hiding location, 46 Kubelik origin, 45
multiple proxy servers, 37 lease lines, 40
proxy classes, 51 local area networks, 40
quicktime flash, 49 monopolistic Internet service
quote-unquote darknet, 51 provider, 43
relays, 47–49, 51 non state hackers, 42
routing information, 33 Privacy Badger cookie, 45
secret service, 45 Protonmail, 42
services, 31–33 sensitive information protection,
Starbucks Wifi VPN, 43 43
tails, 50, 52–54 servers, 37
166 Index

speed data integrity, 40 malware detection at NGOs, 21

startling, 40 malware families, characterization,
Virus, 8, 53, 117 24–25
VPNs. See Virtual private networks Oxford’s Cyber Security CDT
(VPNs) programme, 21
Vulnerability (Vuln), 16, 62, 128, SecDev Foundation, 19–20
134, 136, 137 third sector vs. corporate/
circuit breaker system, 135 government sectors, 26
CyberSAR, 21 Tibetan NGOs, 19
Dark Web site, 11 Warez, 152
Metasploit, 11 WAR files, 74
Siemens Patches Vulnerabilities, WEP, 100
120 Whaling, 90
SQL injection, 10 White hat, 152
zero-day, 118 Wikileaks, 79, 87, 94, 95
of Web sites, 57 Wireless cryptography, 100–101
WordPress site, 28, 30
Walton, Greg Worm, 134
big data methods, 22–23 WPA, 100
Chinese cyber espionage, 27 WPA2-Enterprise, 100
CyberSAR project, 20–21 WPA2-PSK, 100
data collection, 23
DNS, 24 Zero-day, 63, 118
epidemiology, 23–24 Zeropoint, 21